robertmlee
play

@RobertMLee www.Dragos.com Robert M. Lee Current: CEO and - PowerPoint PPT Presentation

Feb 21, 2024 •294 likes •659 views

MRO Webcast Exploring the Unknown ICS Landscape @RobertMLee www.Dragos.com Robert M. Lee Current: CEO and Founder, Dragos, Inc. SANS Institute Certified Instructor and Course Author (FOR578 & ICS515) Non-resident National

  1. MRO Webcast Exploring the Unknown ICS Landscape @RobertMLee www.Dragos.com

  2. Robert M. Lee • Current: • CEO and Founder, Dragos, Inc. • SANS Institute Certified Instructor and Course Author (FOR578 & ICS515) • Non-resident National Cybersecurity Fellow, New America • PhD Candidate, Kings College London • Writer, Little Bobby • Previous: • U.S. Air Force Cyber Warfare Operations Officer • U.S. Intelligence Community

  3. Agenda • How are ICS Cyber Attacks Conducted? • ICS Cyber Attacks: Fact vs. Fiction • Project MIMICS and Bringing Realistic Metrics to the Community

  4. How Are ICS Cyber Attacks Conducted?

  5. 7

  6. 7

  8. Full Ukraine Report: http://ics.sans.org/duc5

  9. ICS Cyber Attacks: Fact vs. Fiction

  10. Illinois Water Hack Illinois Fusion Center report in 2011: • Russia hacked a water utility leading to a pump failure! Fact: Russian IP in logs and pump failure 5 months later Reality: Contractor was on vacation and learned of the incident via media 10

  11. Norse Iran Cyber Attacks Fact: No ICS were harmed in the making of this 11 “report”

  12. 2008 Turkey Pipeline Explosion Bloomberg published “Mysterious ‘08 Turkey Pipeline Blast Opened New Cyberwar” in December, 2014 Fact: BTC Pipeline was attacked Reality: No “cyber” involved 12

  13. 2015 Turkey Blackout 10-hour Power Failure reported by Bloomberg, CNN, and major media outlets as possible Iranian Cyber Attack Fact: Aging infrastructure caused outage Reality: “Cyber” linked through previous reports 13

  14. An Abbreviated History of ICS Threats Insiders Stuxnet Shamoon (Non ICS Targeted) Dragonfly (HAVEX) Sandworm (BlackEnergy 2 and 3) Incidental Malware Infections • Dragos’ MIMICS Research

  15. Example of the known NCCIC / ICS-CERT Year in Review (FY 2015) FY 2015 Incidents by Infection Vector (295 total) FY 2015 Observed Depth of Intrusion 6% 1% 8% 0% 0% 1% 3% 6% 13% 1% Unknown 37% Level 1 – Business DMZ 78% 37% 9% Other Brute Force Abuse of Authorized Access Level 6 - Critical Systems Level 5 - Critical System Management Weak Authentication SQL Injection Spear Phishing Level 4 - Critical System DMZ Level 3 - Business Network Management Network Scanning Unknown Level 2 - Business Network Level 1 - Business DMZ

  16. Project MIMICS 15,000 samples over ~3 months

  17. MIMICS: Malware in Modern ICS • Only public data: Virustotal.com • Malware repository used by “the Internet” to test files against 50+ antivirus vendors • Also used google, DNS data etc • Purpose of the research is census-like data • Explore hypotheses to give real data points without hype or fear

  18. Hypothesis 1 • Non-targeted intrusions/malware in ICS is far more common than realized

  19. Detect Rate (log) High hit Number of files rate Low hit rate count 14949.000000 mean 6.338484 std 15.635142 min 0.000000 25% 0.000000 50% 0.000000 75% 0.000000 max 57.000000 Number of detections

  21. Most Common Detections Virus-like (storage count Trojan Virus-like (PE Infector) hopping) Approximate First Seen ❔ ✅ ✅ sivis 15863 2012 ❔ ✅ ✅ lamer 6830 2012 ✅ ✅ ✅ ramnit 3716 2011 ✅ ❌ ❌ sinowal 2909 2006 ✅ ✅ ✅ cosmu 2769 2013 ✅ ✅ ✅ virut 1814 2007 ❔ ❔ ❔ eldorado 1554 2012 ✅ ❔ ❔ skeeyah 1486 2015 ✅ ❌ ❌ androm 1471 2013 ❔ ✅ ✅ sality 1225 2003 ❌ ✅ ✅ zatoxp 1093 2012 ❌ ✅ ❌ neshta 1085 2008 ✅ ✅ ✅ nimnul 963 2013 ❔ ✅ ✅ visisig 905 2012 ❌ ✅ ✅ siggen 642 2012 ❌ ✅ ✅ graftor 586 2012 ✅ ✅ ✅ virtob 468 2007

  22. New Things

  23. Hypothesis 2 • There are ICS themed intrusions/malware currently undiscovered or underreported by non-ICS security companies

  24. NMMSS Theme

  25. Siemens themed downloader • Downloader with Siemens theme embedded in vs_versioninfo • In wild since at least 2013 • Last observed March 2017 • Over 10 binaries located

  26. Behavior Get /vip.htm HTTP/1.1 Content-Type: text/html Execute Stage 1 Payload Accept: text/html, */* User-Agent: Mozilla/3.0 (compatible; Indy Library) Decrypt/read Stage 1 /vip.htm /vip.htm /vip.htm /vip.htm /vip.htm Stage 2 Download / Payload(s) execute

  27. Submissions 11/2013 3/2014 11/2016 (2x) 1/2014 12/2013 2/2014 3/2014 7/2014 10/2016

  28. User Behavior & Poor Operations Security

  29. Hypothesis 3 • Non-ICS security trained teams and IT security products are submitting legitimate ICS software and files to public databases Weird hypocrisy: you don’t trust your AV but you do trust 50 other AV companies?

  30. Project files ~ 120 project files over course of ~ 90 days • Speed Control BOM.rfq • LogixDiagnostics.ACD • LCS24.RSS • DRIVE_CONTROL_ML1100_PF4CLASS-EN-DRV_CTRL-C0_07.RSS • Rizhao_tertiary.RSS • H:\Simple Systems\PBR\PB&R_ML1100_PF40-EN-PBR_PF40-C0_07.RSS • C:\Users\Wu.Charlene\Downloads\8110409835_HMI_PAR_Line9_v1_04.mer • Untitled.RSS

  31. Data files

  32. Installers

  33. Scan your public content One electric utility, starting in 2012 began routinely uploading their entire public website starting in 2012 to VirusTotal. 136 files indexed on VT Program Files

  34. Practices Things to do Things NOT to do • Use VT as a data source • Treat VT as a whitelist • Have suspected and confirmed • Treat VT as a blacklist malware handling • Use VT to validate your AV guidance/processes • Allow your outsourced teams (IT security or AV) to make decisions about your data

  35. Key Takeaways • Industrial cyber attacks are worth understanding – but avoid the hype • Security in the ICS contributes to reliability even if just against common viruses • You’re more likely to be impacted with Virut than Stuxnet • ICS themed malware (but not enabled) is definitely a thing • VirusTotal is useful to shed light on specific campaigns post facto • Supply chain weakness through legit binaries

  36. Stay in Touch: @robertmlee Dragos.com RLee@Dragos.com @DragosInc Questions?

More recommend